CIOs say training, staff are the keys to security

Energy CIO John Gilligan says training is still the best way for agencies to invest in security.

By William Jackson

GCN Staff

The biggest challenges for government information security planners are the most mundane: budgets, training and staff.

Presidential Decision Directive 63, issued last year, requires executive agencies to establish programs for protecting critical infrastructures, including information systems. But needed resources have been slow in coming, several federal systems officials said last week.

The Energy Department's chief information officer, John Gilligan, said he was optimistic about his $35 million request for information security in this budget year because of the bad publicity his department received for lax security. The department sought that money for fiscal 2000, but Congress did not approve it in the appropriations bills it approved this month [GCN, Oct. 11, Page 1].

'Thus far, we have not been successful in getting that money,'' Gilligan said at the National Information Systems Security Conference in Arlington, Va. The annual conference is sponsored by the National Institute of Standards and Technology, the National Computer Security Center and the National Security Agency.

The Commerce Department has asked for $79.2 million in fiscal 2001 for its critical infrastructure protection plan.

CIO Roger W. Baker said the Office of Management and Budget wants to offset the request with cuts elsewhere, which will not encourage bureaus to put a high priority on information security, Baker said.

At the Defense Department, funding for security personnel and training is chronically short, said Christopher K. Mellon, deputy assistant secretary for security and information operations in command, control, communications and intelligence.

All the speakers agreed that personnel and training are the most pressing agency needs.

NASA has the highest concentration of computer scientists in the government but is 'not happy with our training for systems administrators,'' deputy CIO David Nelson said. The space agency wants to set up a certification program but so far has not found suitable curricula.

DOD is in worse shape, Mellon said. 'We don't know who our systems administrators are,'' he said. 'We don't have a personnel system that tracks people by that title.''

The department is working to find a system to identify administrators, but that will not help retain them, Mellon said. As soon as they are trained, they can leave the military for more money in the private sector, he said.

By any measure, Gilligan said, training is still the best security investment an agency can make. 'We've become the poster child for cybersecurity,'' he said.

Gilligan came to Energy a year ago and proposed spending $50 million to improve security of the department's unclassified computer systems, which were rapidly becoming interconnected.

'We had dramatically increased our risk of exposure,'' he said.

He was told instead to focus on the classified systems. 'That focus held for about a month and a half,'' he said, when it was discovered that a scientist at Los Alamos National Laboratory had moved nuclear weapons information from a classified system to an unclassified terminal.

Now the focus is back on unclassified networks, but funding for security training and personnel has turned into a political battle.

'There is a lot of tension about our budget priorities'' in Congress, Gilligan said.

One agency that does not complain about security budget problems is NASA. It does not get all the money it wants, but 'we haven't had much trouble getting the money we need,'' Nelson said.

NASA developed a set of metrics to track the cost of responding to security incidents and uses the figures to support budget requests.

Gilligan agreed with the need to treat security as a business issue.

'You've got to stop talking in computer security geek-talk, in terms of IP addresses and vulnerabilities, and start talking about business cases,'' he said.